ci: rebase test performance agent updates

.github/codex/prompts/test-performance-agent.md

@@ -18,6 +18,7 @@ Hard limits:
 - Do not update snapshots, generated baselines, inventories, ignore files, lockfiles, package metadata, CI workflows, or release metadata.
 - Do not add dependencies.
 - Do not create, delete, or rename files.
+- Do not do broad refactors or style-only rewrites.
 - Keep changes minimal and focused on the slow or failing tests you can justify from the report.
 - Prefer no edit when a performance improvement is speculative.
 - If `.artifacts/test-perf/baseline-before.json` has `"failed": true`, do not make performance-only edits. First inspect the failed config logs. Edit only when the test failure has an obvious, coverage-preserving fix. If no obvious failure fix exists, leave the worktree clean.
@@ -26,6 +27,7 @@ Good fixes:
 
 - Replace broad partial module mocks, especially `importOriginal()` mocks, with narrow injected dependencies or local runtime seams.
 - Avoid importing heavy barrels in hot tests when a narrow module or helper covers the same behavior.
+- Add or adjust a production lazy/injection seam only when that is the narrowest way to preserve coverage while removing expensive imports or fixing an obvious mock/import failure.
 - Move expensive setup from per-test hooks to shared setup only when state isolation remains correct.
 - Reuse existing fixtures/builders instead of recreating expensive work per case.
 - Mock expensive runtime boundaries directly: filesystem crawls, package registries, provider SDKs, network/process launch, browser/runtime scanners.

.github/workflows/test-performance-agent.yml

@@ -181,7 +181,7 @@ jobs:
 
       - name: Restore Node 24 path
         if: steps.gate.outputs.run_agent == 'true' && steps.patch.outputs.has_changes == 'true'
-        run: |
+        run: | # zizmor: ignore[github-env] NODE_BIN is set by the trusted local setup-node-env action in this same job
           set -euo pipefail
           export PATH="${NODE_BIN}:${PATH}"
           echo "${NODE_BIN}" >> "$GITHUB_PATH"
@@ -227,7 +227,6 @@ jobs:
       - name: Commit test performance updates
         if: steps.gate.outputs.run_agent == 'true' && steps.patch.outputs.has_changes == 'true'
         env:
-          BASE_SHA: ${{ steps.gate.outputs.base_sha }}
           GITHUB_TOKEN: ${{ github.token }}
           TARGET_BRANCH: main
         run: |
@@ -253,9 +252,14 @@ jobs:
               exit 0
             fi
             remote_main="$(git rev-parse "origin/${TARGET_BRANCH}")"
-            if [ "$remote_main" != "$BASE_SHA" ]; then
-              echo "main advanced from ${BASE_SHA} to ${remote_main}; skipping stale test performance update."
-              exit 0
+            if [ "$remote_main" != "$(git rev-parse HEAD^)" ]; then
+              echo "main advanced; rebasing test performance update onto ${remote_main}."
+              if ! git rebase "origin/${TARGET_BRANCH}"; then
+                echo "Test performance update no longer applies cleanly; skipping stale update."
+                git rebase --abort || true
+                exit 0
+              fi
+              pnpm check:changed
             fi
             echo "Test performance update attempt ${attempt} failed; retrying."
             sleep $((attempt * 2))

docs/ci.md

@@ -28,12 +28,14 @@ for slow tests. It has no pure schedule: a successful non-bot push CI run on
 `main` can trigger it, but it skips if another workflow-run invocation already
 ran or is running that UTC day. Manual dispatch bypasses that daily activity
 gate. The lane builds a full-suite grouped Vitest performance report, lets Codex
-make only small coverage-preserving test performance fixes, then reruns the
-full-suite report and rejects changes that reduce the passing baseline test
-count. If the baseline has failing tests, Codex may fix only obvious failures
-and the after-agent full-suite report must pass before anything is committed.
-It uses GitHub-hosted Ubuntu so the Codex action can keep the same drop-sudo
-safety posture as the docs agent.
+make only small coverage-preserving test performance fixes instead of broad
+refactors, then reruns the full-suite report and rejects changes that reduce the
+passing baseline test count. If the baseline has failing tests, Codex may fix
+only obvious failures and the after-agent full-suite report must pass before
+anything is committed. When `main` advances before the bot push lands, the lane
+rebases the validated patch, reruns `pnpm check:changed`, and retries the push;
+conflicting stale patches are skipped. It uses GitHub-hosted Ubuntu so the Codex
+action can keep the same drop-sudo safety posture as the docs agent.
 
 ```bash
 gh workflow run duplicate-after-merge.yml \